Vulnerability Severity

Our RedSeal implementation does import data from Tenable scans. After exporting the vulnerabilities listed in RedSeal to a tsv file and analyizing the data, I have too many questions and disagreements on the output.

For example, the Tenable plugin number is published by the RedSeal report. The CVEs associated with a specific plugin number, have their severity categorized as "Informational" on Tenable and "HIGH" on RedSeal. How is RedSeal determining this as a "HIGH" severity vulnerability?

We import data from many different scanners, including all their proprietary comments, scores, etc. However, when we evaluate the vulnerability, we go back to SCAP standards - we don't take the vendor scores as authoritative. This is the point of the government-backed standards efforts, of course - the security industry as a whole needs standard ways to communicate about vulnerabilities between products.

So if you see a result that looks suspect, I'd suggest checking what the National Vulnerability Database says about it. If, say, Tenable says something is low priority, but the NVD says it's very serious, RedSeal relies on the NVD. We'd be happy to research any examples you can share, but if you'd rather not publish a specific CVE, it's easy enough to check that CVE on the NVD web site, to see what the standard values are.

Should you find that you disagree with the US Govt standard values from the NVD, then we have ways you can override them, but of course, this is a very significant step. (This is called "TRL Customization".) I wouldn't rush to do that unless it's clear the standard value is wrong.